SWIFT Customer

Security Program
Since the Bangladesh Bank Heist of 2016, banks have seen
a steady increase in high-profile cyberattacks on customers
using Society for Worldwide Interbank Financial
Telecommunications (SWIFT).

Deloitte can help business leaders navigate the issues

associated with implementing SWIFT's Customer Security
Controls Framework (CSCF) as well as address SWIFT
dependencies and ultimately disrupt through innovation.
The issue: Growing risk from cybersecurity threats
A variety of cyberattacks have prompted banks and regulators to focus increasingly on managing cybersecurity risks

50% increase in attacks by banking malware, especially

mobile banking malware, in the first half of 2019
compared to the same period in 2018 Cyberattacks ranked…
Source: ASEAN Cyberthreat Assessment 2020: Key Insights from the ASEAN Cybercrime Operations Desk

7th most likely to occur

8th most impactful risk

$1trillion 2nd most concerning risk

for doing business
79% 11% … globally over the next 10 years

In 2021, cybercrime damages may

ranked cyber threats as a annual cost of cybercrime reported high degree of reach …
top 5 concern for their
organization
in 2019 confidence in their cyber
resilience measures $6trillion
Source: 2019 Global Cyber Risk Perception Survey Source: Global Risks Report 2020
Limiting future cyberattacks
Your local environment
In response to recent cyberattacks, SWIFT issued secure your local SWIFT-related
baseline security requirements through its Customer infrastructure
Security Controls Framework. While the SWIFT network
itself was not compromised in the attacks, in some cases
hackers successfully breached the local operating
Customer
environment established by SWIFT users. Security
To help limit hackers’ opportunities to exploit
weaknesses in SWIFT users' local environments in the
Program
future, SWIFT created the Customer Security Program Your community (3 mutually Your counterparties
(CSP), a framework designed to help users set up continuously share reinforcing areas) prevent and detect
cybersecurity controls that they can implement information and prepare fraud in your
themselves in their local environments. to defend against future commercial
cyber threats relationships
The CSP’s main components are the Customer Security
Control Framework (CSCF) and the Customer Security
Controls Policy (CSCP). An Independent Assessment
Framework (IAF) has also been defined to guide the
clients while assessing the CSP.
How SWIFT users can protect themselves

After its original release, the CSP CSCF and CSP Policy Evolution
has been updated on an annual
basis to improve its coverage and
to take into account the 2017 2018 2019 2020
evolution of the cyber threat As of 2020, all SWIFT customers
31 Controls
landscape. Compliance 21 mandatory + 10 Advisory are mandated to support their
assessment declarations are Independent assessment by self-attestation by an
expected at the end of each year. 31 Dec 2019 independent assessment.
27 Controls 29 Controls • Self-attestation must be
16 mandatory + 11 Advisory 19 mandatory + 10 Advisory
SWIFT encourages its users to 2 Controls Promoted to Mandatory completed between June and
Self-attestation by Self-attestation
1.3A Virtualization Platform December and will then be
implement and monitor these 31 Dec 2017/2018 by 31 Dec 2019
2.10A Application Hardening valid till the end of the
customer security controls as following year.
part of a broader cybersecurity 3 Controls Promoted to
Mandatory 2 New Advisory Controls • Self-attestation must be
risk management program, 1.4A Restrict Internet Access supported by an independent
2.6 Operator Session flows
which should be regularly 2.7 Vulnerability Scanning 2.11A RMA Controls external/internal assessment.
evaluated and adjusted based on 5.4 Password Storage • An annual update cycle is
leading industry practices and 1 Control with Scope Extension foreseen for CSP policy and
2.4A Back-office data Flow
changes to the individual users' 2 New Advisory Controls CSCF updates.
1.3A Virtualization Platform – MQ / Middleware Server
security position and • User Guide section transferred
2.10A Application Hardening to KYC-SA documentation
infrastructure.
SWIFT's strategic security principles
SWIFT Customer Security Controls Framework
The Customer Security Controls Framework is a set of core security
controls that are mandatory for SWIFT users. The controls are intended
to help mitigate specific cybersecurity risks that SWIFT users face due
Objectives Strategic Security Principles
to the cyber threat landscape. O1. Secure your P1. Restrict Internet access and Protect critical
Environment systems from general IT environment
P2. Reduce attack surface & vulnerabilities
Scope of SWIFT Security Controls
P3. Physically secure the environment
O2. Know and P4. Prevent compromise of credentials
limit access
P5. Manage identities & segregate privileges
O3. Detect and P6. Detect anomalous activity to system or
respond transaction records
P7. Plan for incident response & information
sharing

The framework can be applied to four types of SWIFT user architectures,

titled A1, A2, A3, and B. SWIFT users must first identify which architecture
applies to them before identifying and implementing the applicable
controls.
How different will your declaration be on 31 December 2020?

In order to improve the level of

assurance currently provided by the
self-attestations, an independent
assessment framework (IAF) has been
CSCF v2020 release CSCF v2020 projects Independent Assessment Reporting analysis
developed by SWIFT and will require Framework preparation
all attestations to be supported by an • Change identifications, such • Implementation of • Assessments are analyzed
independent assessment from the as advisory controls new requirements • Mandatory controls by SWIFT
CSCF 2020. The self-assessment will promoted to mandatory • Improvement of • Method: Point in time • Additional evidence
no longer be possible and SWIFT • Gap assessment previously identified evaluation of user’s requested by SWIFT
customers will now have to rely on an • Projects plan gaps implementations • Communication to third
independent assessment performed • Budget definition • Preparation of next parties and business
either by their internal second or audit partners
third line of defense (e.g., risk
management, internal audit, etc.), or
by an external third party
organization.
How Deloitte can support your organization
The SWIFT messaging platform, in particular, has been under concerted attacks since
the Bangladesh Bank heist in 2016. Faced with highly sophisticated and organized
cyberattacks, global banks need to do more to protect themselves against the rapidly
evolving and adaptable cyber threat landscape.

Deloitte offers holistic services that can support your organization as you address
your SWIFT dependencies, balancing the need to reduce risk with the goal of
meeting productivity, business growth, and cost optimization objectives:
Impact Assessment: Deloitte will conduct initial SWIFT risk assessment, provide a
prioritization framework, and review current controls
Risk Mitigation Planning: Deloitte will develop a remediation strategy and a
roadmap for implementation for identified gaps in controls and processes
Testing: Deloitte will assist in establishing a testing framework and conduct testing
to meet CSP requirements
Implementation Support: Deloitte will assist with governance establishment,
implementation execution, and war gaming
Independent Assessment: Deloitte will review and validate your compliance with
the SWIFT CSP controls and issue independent assurance reports under recognized
standards (e.g., ISAE, SOC 2).

While Deloitte is prepared to assist you in connection with the SWIFT Customer Security Controls Framework, please note that Deloitte does not
represent or speak for SWIFT, and the Customer Security Controls Framework is part of the contractual framework between SWIFT and its users.
 How Deloitte can support your organization

SWIFT CSP Workshop Testing Controls implementation Independent assessment

• Deloitte consultants with deep • Deloitte can assist you in • Through years of experience with • Deloitte team has the depth of
SWIFT CSP experience will conduct establishing a testing framework different implementation methods, experience to review and validate
a workshop to review your self- and conduct testing to meet CSP using all kinds of software and your compliance with the SWIFT
attestation and provide you with requirements. hardware, the Deloitte Cyber team CSP controls and issue independent
high level opinion on remediation is exceptionally placed to provide assurance reports under recognized
• We will conduct initial SWIFT risk
activities defined by your assistance with the implementation standards (e.g., ISAE, SOC 2).
assessment, provide a prioritization
organization. framework, and assess your of controls in the CSCF.
Added values: independent
• Our team will interview your staff readiness to meet new SWIFT CSP • Our team will design and deploy assessment of your SWIFT
and inspect system configurations requirements. process and technology solutions to environment by a dedicated team
and documentation to deliver a mitigate control gaps, and develop with relevant SWIFT cybersecurity
Added values: review of SWIFT
management report that can be a remediation strategy and a assessment experience
environment, assessment of controls,
used for the self-attestation. roadmap for implementation for
and identification of compliance gaps
identified gaps in controls and
Added values: quick confirmation of processes.
your self-attestation, confirmation of
your team understanding of the Added values: Deloitte team that
CSCF, and high level assessment of understands the CSCF will implement
your remediation plan controls that will fully mitigate gaps
with minimal disruption to your
current environment
 Our experience and credentials

SWIFT CSP tailor made methodology

Deloitte has a strong track record of performing operational and security risk assessments based on the SWIFT CSCF. Using that experience, we
created a tailor made methodology based on SWIFT CSCF and international security standards specific to this type of engagements.

Selection of relevant experience

Client Relevant experience
Multilateral development bank Deloitte is conducting compliance assessment using the CSCF. This includes a compliance assessment against all mandatory
in the Philippines controls on their onsite and disaster recovery site.
Provider of secure financial Security assessment review program based on SWIFT Customer Security Controls Framework for a global financial messaging
messaging services provider. As part of this program, we have assessed more than 100 financial messaging services connectivity providers across
the world.
Provider of secure financial Deloitte provided Quality Assurance to the provider of secure financial messaging services with their Customer Security
messaging services Program (CSP). The goal of CSP is to reinforce the security of clients' wider ecosystem by engaging with its customers to make
sure the security of their locally managed infrastructure is up to par. Deloitte helped analyze the attestation data and
reported on the findings. Further, Deloitte advised on how to improve the program.
Central bank in Europe Review for self-assessment of the internal controls relevant to the SWIFT environment in place at the bank and their
(controls) compliance with the mandatory controls as published by SWIFT in the CSP framework.
Several major banks across Review of self-assessment related to the internal controls relevant to the SWIFT environment in place at the bank, and their
EMEA region compliance with SWIFT Customer Security Programme framework.
 About Deloitte Cyber

As a recognized leader in cybersecurity consulting, Deloitte Cyber is everywhere. So are our services.
Cyber can help better align cyber risk strategy and investments
The ubiquity of cyber drives the scope of our services. Deloitte Cyber advises,
with strategic business priorities, improve threat awareness
implements, and manages solutions across the following areas:
and visibility, and strengthen our clients’ ability to thrive in the
face of cyber incidents. Using human insight, technological
innovation, and enterprise-wide cyber solutions, we manage Strategy Detect and Respond Data and Privacy
• Cyber strategy and • Threat intelligence • Strategy
cyber everywhere, so society can go anywhere.
transformation • Threat monitoring and • Reporting/validation
• Cyber risk management analytics • Architecture
Value to our clients • Cyber training and awareness • Vulnerability management • Privacy
• Unrivaled depth of technical knowledge and breadth • Incident management and • Protection
Application Security response
of industry experience • ERP process, systems, and • Security automation and Identity
integrity controls including SAP response • Identity governance
• Comprehensive suite of solutions from advisory to
S4/HANA & Oracle • Advanced authentication
managed security services • GRC, CRM, and HR security Cloud Infrastructure Security • Privileged access
controls • Core infrastructure security management
• Ability to develop a cyber risk program in line with the
• SecDevOps lifecycle • Cloud security • User access governance
organization’s strategic objectives and risk appetite
• Asset management • Identity analytics
Emerging Technology • Mobile and endpoint • Digital consumer identity
• Investment in emerging technologies, training,
• Internet of Things security • Directory services and
infrastructure, and people • Industrial Control Systems • Technical resilience certificate lifecycle
• Artificial intelligence
• Global network of 31+ Cyber Centers provide
• Robotics
consistency and high level of service
Contact us

17,000+ Strength in numbers

What sets Deloitte Cyber apart from the
Cyber practitioners competition is the know-how. Deloitte has the
Anna Pabellon worldwide
experience in dealing with many of the world’s
Risk Advisory Leader
Deloitte Philippines 125 toughest cyber issues, helping clients solve the
most complex business challenges. We have a team
apabellon@deloitte.com Offices across Australia, that doesn’t quit; we have the experience you can
China, India, Japan,
depend on; and we have a commitment that we
Korea, New Zealand,
stand behind. Why trust anyone else?
Southeast Asia, Taiwan
Talk to our team in the Philippines Managed security services - a global partner with
26+ a local approach
Bel Del Castillo Years providing cyber risk Cyber Intelligence Centres (CICs) provide a high
Risk Advisory Manager services added value to our managed security services and
idelcastillo@deloitte.com
act as front offices and last mile of delivery for
Akee Papa
30+ clients. We tailor our offering to the needs of the
Cyber Intelligence Centres client in each location.
Risk Advisory Senior Manager
arpapa@deloitte.com
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities (collectively, the “Deloitte organization”).
DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other
in respect of third parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide
services to clients. Please see www.deloitte.com/about to learn more.

Deloitte Asia Pacific Limited is a company limited by guarantee and a member firm of DTTL. Members of Deloitte Asia Pacific Limited and their related entities, each of which are
separate and independent legal entities, provide services from more than 100 cities across the region, including Auckland, Bangkok, Beijing, Hanoi, Hong Kong, Jakarta, Kuala Lumpur,
Manila, Melbourne, Osaka, Seoul, Shanghai, Singapore, Sydney, Taipei and Tokyo.

About Deloitte Philippines

In the Philippines, services are exclusively and independently provided by Navarro Amper & Co., a duly registered professional partnership in the Philippines.

This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms or their related entities
(collectively, the “Deloitte organization”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may
affect your finances or your business, you should consult a qualified professional adviser.

No representations, warranties or undertakings (express or implied) are given as to the accuracy or completeness of the information in this communication, and none of DTTL, its
member firms, related entities, employees or agents shall be liable or responsible for any loss or damage whatsoever arising directly or indirectly in connection with any person
relying on this communication. DTTL and each of its member firms, and their related entities, are legally separate and independent entities.

© 2020 Navarro Amper & Co.